CISSP Mindmap-Domain 5: Identity and Access Management
An Interactive CISSP Mindmap Series
CISSP Mindmap – Domain 05
A comprehensive CISSP Mindmap Series will include all 8 Domains. This collection is designed to equip prospective CISSP professionals with essential resources for exam preparation, training and reference.
CISSP Mindmap - Domain 05
CISSP Interactive Mindmap
Domain_05: Key Concepts and Terminology
- Authentication: Verifying the identity of users, devices, or services before granting access.
- Authorization: Determining the privileges or permissions a user has after authentication.
- Accounting (AAA): Tracking user activities and maintaining logs for auditing and monitoring.
- Single Sign-On (SSO): Allowing users to log in once and gain access to multiple systems without re-authenticating.
- Federated Identity Management (FIM): Linking user identity across multiple organizations or domains.
- Just-In-Time (JIT) Access: Providing temporary access privileges based on real-time requirements.
- Discretionary Access Control (DAC): Access policies are determined by the owner of the resource.
- Mandatory Access Control (MAC): Access policies are enforced by a central authority, based on security labels.
- Role-Based Access Control (RBAC): Access is assigned based on the user’s role within the organization.
- Attribute-Based Access Control (ABAC): Access is based on a set of attributes, including user, environment, and resource attributes.
- Access Control Lists (ACLs): A list specifying which users or system processes are granted access to objects.
- Least Privilege: Granting users the minimum level of access required to perform their job functions.
- Separation of Duties (SoD): Dividing responsibilities among different individuals to prevent conflict of interest or fraud.
- Security Tokens: Physical or virtual devices used to prove one’s identity electronically.
- Multi-Factor Authentication (MFA): Using two or more verification methods, such as passwords, tokens, and biometrics.
- Biometric Authentication: Using unique biological characteristics (e.g., fingerprints, retina scans) for identification.
- Password Vault: A system to store and manage complex passwords securely.
- Session Management: Maintaining and securing user sessions to prevent hijacking or unauthorized access.
- Account Access Review: Regularly reviewing user accounts to ensure appropriate access rights.
- Provisioning/Deprovisioning: Granting and revoking access rights during onboarding, offboarding, or internal role changes.
- Role Definition and Transition: Defining roles and handling changes in roles that affect access rights.
- Service Accounts Management: Managing non-human accounts used by applications and services.
- LDAP (Lightweight Directory Access Protocol): A protocol for accessing and maintaining distributed directory information.
- Active Directory: A Microsoft directory service used to manage users, groups, and resources in a network.
- Password Attacks: Methods like brute force, dictionary attacks, and phishing aimed at compromising user passwords.
- Social Engineering: Techniques used to manipulate individuals into divulging confidential information.
- Privilege Escalation: Gaining higher access privileges than initially granted.
- Defense Mechanisms: Include enforcing strong password policies, MFA, account lockout policies, and regular audits.
- SAML (Security Assertion Markup Language): A standard for exchanging authentication and authorization data between parties.
- OAuth: An authorization protocol that allows third-party services to access user resources without exposing passwords.
- Kerberos: A network authentication protocol using tickets for secure communication over non-secure networks.
- Cloud Access Security Broker (CASB): Security policy enforcement points placed between cloud service consumers and providers.
- Identity as a Service (IDaaS): Cloud-based identity and access management solutions.
- Access Control Concepts
-
- Authentication: Verifying the identity of users, devices, or services before granting access.
- Authorization: Determining the privileges or permissions a user has after authentication.
- Accounting (AAA): Tracking user activities and maintaining logs for auditing and monitoring.
- Single Sign-On (SSO): Allowing users to log in once and gain access to multiple systems without re-authenticating.
- Federated Identity Management (FIM): Linking user identity across multiple organizations or domains.
- Just-In-Time (JIT) Access: Providing temporary access privileges based on real-time requirements.
- Access Control Models
-
- Discretionary Access Control (DAC): Access policies are determined by the owner of the resource.
- Mandatory Access Control (MAC): Access policies are enforced by a central authority, based on security labels.
- Role-Based Access Control (RBAC): Access is assigned based on the user’s role within the organization.
- Attribute-Based Access Control (ABAC): Access is based on a set of attributes, including user, environment, and resource attributes.
- Key IAM Concepts
-
- Access Control Lists (ACLs): A list specifying which users or system processes are granted access to objects.
- Least Privilege: Granting users the minimum level of access required to perform their job functions.
- Separation of Duties (SoD): Dividing responsibilities among different individuals to prevent conflict of interest or fraud.
- Security Tokens: Physical or virtual devices used to prove one’s identity electronically.
- Identification and Authentication Mechanisms
-
- Multi-Factor Authentication (MFA): Using two or more verification methods, such as passwords, tokens, and biometrics.
- Biometric Authentication: Using unique biological characteristics (e.g., fingerprints, retina scans) for identification.
- Password Vault: A system to store and manage complex passwords securely.
- Session Management: Maintaining and securing user sessions to prevent hijacking or unauthorized access.
- Access Provisioning Lifecycle
-
- Account Access Review: Regularly reviewing user accounts to ensure appropriate access rights.
- Provisioning/Deprovisioning: Granting and revoking access rights during onboarding, offboarding, or internal role changes.
- Role Definition and Transition: Defining roles and handling changes in roles that affect access rights.
- Service Accounts Management: Managing non-human accounts used by applications and services.
- Directory Services
-
- LDAP (Lightweight Directory Access Protocol): A protocol for accessing and maintaining distributed directory information.
- Active Directory: A Microsoft directory service used to manage users, groups, and resources in a network.
- Access Control Attacks and Defenses
-
- Password Attacks: Methods like brute force, dictionary attacks, and phishing aimed at compromising user passwords.
- Social Engineering: Techniques used to manipulate individuals into divulging confidential information.
- Privilege Escalation: Gaining higher access privileges than initially granted.
- Defense Mechanisms: Include enforcing strong password policies, MFA, account lockout policies, and regular audits.
- IAM Protocols and Standards
-
- SAML (Security Assertion Markup Language): A standard for exchanging authentication and authorization data between parties.
- OAuth: An authorization protocol that allows third-party services to access user resources without exposing passwords.
- Kerberos: A network authentication protocol using tickets for secure communication over non-secure networks.
- Cloud Identity and Access Management
-
- Cloud Access Security Broker (CASB): Security policy enforcement points placed between cloud service consumers and providers.
- Identity as a Service (IDaaS): Cloud-based identity and access management solutions.
Domain_05: Key Terms & Definitions
- Identity Management – The process of identifying, tracking, and managing the digital identities of users to control access to corporate resources. Identity management systems provide tools for creating, modifying, and deleting user identities.
- Access Management – The techniques and processes that control and manage access to resources, ensuring that users have the appropriate permissions to perform certain tasks.
- Authentication – The process of verifying the identity of a user, device, or other entity in a computer system, typically as a prerequisite to granting access to resources in the system.
- Authorization – The process of determining if a particular user, program, or device has the right to carry out a certain activity, such as accessing a specific file or network, after authentication has been successful.
- Single Sign-On (SSO) – A user authentication process that permits a user to enter one name and password in order to access multiple applications. It eliminates the need for multiple passwords and simplifies the user’s experience.
- Multifactor Authentication (MFA) – A security mechanism that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.
- Role-Based Access Control (RBAC) – A method of regulating access to computer or network resources based on the roles of individual users within an enterprise. Users are assigned roles, and through those roles, they gain permissions to perform certain actions.
- Access Control List (ACL) – A table that tells a computer operating system which access rights each user or device has to a particular system object, such as a file directory or individual file.
- Identity Federation – A system of trust between different organizations that allows for the sharing of identity information across multiple IT systems or applications. Federation enables users to use the same identification data to obtain access to the networks of all enterprises in the group.
- Privileged Access Management (PAM) – The monitoring and protection of accounts and processes that have elevated (or privileged) access or permissions to critical and sensitive systems within an IT environment.
- User Entity Behavior Analytics (UEBA) – Security solutions that analyze the behaviors of users and entities (systems, devices, etc.) within an environment to detect anomalies or deviations that could indicate potential security threats.
- Credential Stuffing – A type of cyberattack where stolen account credentials, typically consisting of lists of usernames and/or email addresses and the corresponding passwords, are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.
Domain_05: Key Areas
Control Access to Assets:
- Understand and apply the fundamental concepts of access control systems and methodologies.
- Manage identification and authentication of people, devices, and services.
- Integrate identity as a third-party service (e.g., on-premise, cloud, and hybrid).
- Implement and manage authorization mechanisms.
- Manage the identity and access provisioning lifecycle (e.g., provisioning, review, revocation).
Identification and Authentication:
- Understand and implement various forms of user authentication, from passwords and tokens to biometrics and multifactor authentication (MFA).
- Address the strengths and weaknesses of different authentication methods and strategies for their deployment.
Access Control Systems and Methodology:
- Delve into the principles of access control systems, including discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC).
- Explore how these methodologies are applied in real-world scenarios to protect information and systems.
Single Sign-On (SSO) and Session Management:
- Examine the concepts and applications of SSO, including federated identity management.
- Understand the technologies and protocols that support SSO, such as SAML, OpenID Connect, and OAuth.
- Manage user sessions to ensure secure access and use of resources over time.
Accountability, Monitoring, and Reporting Access:
- Implement logging and monitoring mechanisms to track user activities and detect potential security incidents.
- Understand the importance of audit logs and accountability in tracing access and actions within systems.
- Utilize access review and reporting tools to comply with policies, standards, and regulations.
Identity as a Service (IDaaS):
- Explore the use of cloud-based services for identity management, including considerations for security, privacy, and compliance.
- Understand the integration of on-premise IAM with cloud-based services, addressing challenges and benefits.
Third-Party Identity Services:
- Manage risks and security considerations when integrating third-party identity services into an organization’s IAM framework.
- Address the complexities of federated identities across different domains and services.
Provisioning and De-provisioning of Resources:
-
- Understand the lifecycle of identity and access management, from the initial provisioning of access to resources to the de-provisioning or revocation of that access.
- Implement processes and controls to ensure timely and accurate management of access rights as roles and relationships change
Resources
- (ISC)2 CISSP Official Study Guide (OSG) 9th Edition by Mike Chapple, James Michael Stewart, and Darril Gibson
- Chapter 13 – Chapter14, Pg637-718
- CISSP All-in-One Exam Guide, Ninth Edition by Fernando Maymi and Shon Harris
- Part V, Pg715-808
- Eleventh Hour CISSP® Study Guide, Third Edition by Eric Conrad, Seth Misenar, Joshua Feldma
- Domain-05, P117-133
- Destination Certification – A Concise Guide by Rob Witcher, John Berti, Lou Hablas, Nick Mitropoulos
- Domain-05, Pg315-349
-
The Official (ISC)2 CISSP CBK Reference, 6th Edition by Arthur Deane and Aaron Kraus
- Domain-05, Pg377-418
Books Reference
Practice Tests
- (ISC)2 CISSP Official Practice Tests by Mike Chapple and David Seidl
- How to Think Like a Manager for the CISSP Exam by Luke Ahmed
- Boson Practice Exam
- Study Notes and Theory (SNT) by Luke Ahmed
Videos
- Mike Chapple’s CISSP Cert Prep on LinkedIn Learning.
- Kelly Handerhan’s CISSP Prep Course on Cybrary
- Destination CISSP Mindmap Video
- Pete Zerger’s CISSP Exam Cram
- Prabh’s Coffee Shots
- Luke Ahmed’s Study Notes and Theory (SNT)
Credits & Disclaimer
We express our gratitude to the below-mentioned authors, creators, and sources which have been referred for the creation of our Interactive CISSP Mindmap – Mike Chapple and David Seidl (OSG), Luke Ahmed (SNT), Pete Zerger (Exam Cram), Prashant Mohan (Memory Palace) , Prabh (Coffee shots), Rob Witcher (destcert.com/) and M. Waleed Khaliq (CISSP Concepts Guide).This Mindmap has been meticulously created to ensure that information is shared effectively. This Mindmap aims to offer a thorough grasp of essential concepts with a dedication to assist enhanced learning experiences. We hope that this resource helps people absorb information more thoroughly, which will lead to a broader understanding of each CISSP domains and is freely available for all.
Contribution
We have already included some reference images and short notes for most of the topics so that users can more effectively refer to the content in the mindmap. If you have any information, images, or notes that can make the mindmap more effective, please feel free to share them.
https://github.com/sajinshivdas/CISSP_Interactive_Mindmap/tree/main/CISSP_Domain_05
For issues and concern please feel free to raise a issue in Github link https://github.com/sajinshivdas/CISSP_Interactive_Mindmap/issues
Connect with me www.linkedin.com/in/sajin-shivdas
Related Mindmaps
Find the related mindmaps of CISSP Domains below.